Dragons in the Algorithm
Adventures in Programming
by Michael Chermside

Password in Pieces

I came across the following question on reddit:

My bank on the online banking login instead of having a password field it presents you with 3 password fields 1 character each where it asks you for 3 characters from your password, chosen randomly. E.g. the 2nd, 4th and 7th.

I wanted to respond to this, because not only is it an incredibly misguided attempt at security which seriously weakens actual security, it also sounds familiar. Because a few months ago my employer considered doing something just like this. Let me recount the story:

I work for a bank, so we care a LOT about security. Customers call into our call center and to identify themselves they get connected to the IVR (interactive voice response unit... telephone system) to enter their PIN (a 4 to 8 digit passcode). An important feature is that we cut out the phone reps from hearing this... because we want your password to be a secret EVEN FROM OURSELVES. All of this is good security design.

We opened up a new call center in Hawaii, and they had some problems. Apparently the phone system we were using had a time limit when transferring a call -- if it wasn't picked up by the remote phone switch within a few milliseconds then it was disconnected. The ping time between the Hawaii call center and our east-coast data center was just a little too long and many of the calls were being disconnected when they were transferred to the IVR to enter the PIN.

The first solution that they thought of was to stop using the IVR to enter PIN numbers. Instead, the idea was that they would instead create a system where the phone reps asked the customers for certain digits out of their PIN (just as described in enanoretozon's reddit question). They would type this in and then the customer could log in. Apparently, this was the standard practice at our German subsidiary, and had somehow become blessed as the official corporate-wide best practice.

Well, it may be an official "best practice", but it's still a very bad idea, for two reasons. The first reason should be completely obvious if you just try it. First, say your phone number out loud. Now say the 3rd, 6th, and 4th characters of it. For most normal people, the second will take many times longer, and be much harder, even though it is only 3 digits. There is always a tradeoff between security and usability (We could provide perfect security if we never allowed anyone to take their money out of the bank. Of course, usability would have dropped to zero.), and entering random digits has SUCH poor usability that it is not worth it.

[caption id="attachment_345" align="alignright" width="240" caption="Random Digits"]Random Digits[/caption]

Besides that, it is also less secure. There are, if you consider it, multiple different kinds of attacks that we need to protect against. One kind, certainly, is attacks by unscrupulous bank employees who might misuse a customer's login credentials. But another far more likely attack is a third-party who wants to steal from a customer's account.

Such an attacker, if they didn't know the customer's PIN, would have to guess. To prevent repeated guessing, we will temporarily lock out a customer's account after a certain number of incorrect login attempts. But a clever attacker would just try different customers, making just one guess for each one.

Equation

With (for instance) a 6-digit pin, the expected number of guesses before the attacker got one right is around 100,000. Long before an attacker managed to try even a small fraction of 100,000 guesses, we would have noticed what they were doing and put a stop to it. But we only ask for 3 particular digits out of the password, then the attacker only needs to try about 1000 times before she is expected to guess correctly. There is a good chance that we would catch that, but (particularly if they spoof their phone number) we might not.

So we traded better defense against a rare attack (we don't hire a lot of employees who commit bank fraud) for much worse defense against a common attack (we detect and stop attempted attacks of various sorts every single week!). It is NOT an improvement.

So... after these points were raised, we chose not to implement our German counterpart's policy. What did we do instead?

Very simple: we fixed the phone system so it could transfer calls properly.

Posted Sat 05 December 2009 by mcherm in Programming